“Reporter’s Notebook” is a weekly dispatch of news tidbits, strongly-sourced buzz, and other items of interest happening in the federal IT and acquisition communities.
Submit ideas, suggestions and news tips to Jason via email.
The rising call to protect agency technology supply chains isn’t new. Back in 2012, the Senate Armed Services Committee released an eye-opening report on counterfeit electronic products in the Defense Department.
The Pentagon has been aware of counterfeit and supply chain problems dating back decades, but saw a huge upswing in these parts infiltrating its national security systems starting in 2005.
The recent SolarWinds cyber breach brought to light not only how complicated this challenge is but the need to stop staring at the problem and take real action.
Over the last few years, agencies have done a lot of thinking and planning with the development of the Cybersecurity Maturity Model Certification (CMMC) standards and the creation of the Federal Acquisition Security Council (FASC) to name a few, but real change has been hard to come by.
Jon Boyens, the deputy chief of Computer Security Division at the National Institute of Science and Technology, said a 2018 report by the Ponemon Institute found 66% of companies do not have a comprehensive third-party inventory. The 2019 Ponemon report found the average cost of a supply chain attack was $7.5 million and more than 50% of all respondents reported a breach in the two years.
“Even now, when we talk about supply chain risk management, it’s kind of a level set. It means different things to different people. Some people still do not get the relevance of it or they look at different aspects very adversarial,” Boyens said at a recent supply chain event sponsored by FCW.
This is why many believe the SolarWinds supply chain breach finally will get the government and industry to act more decisively and quickly.
Rep. John Katko (R-N.Y.), the ranking member of the Homeland Security Committee, explained this desire to take real actions and not just stare at the problem in a Jan. 19 letter to the Cybersecurity and Infrastructure Security Agency in the Department of Homeland Security.
“I remain concerned that the Federal Acquisition Security Council is not making rapid enough progress to operationalize its ability to leverage its authorities from the SECURE Technology Act,” Katko wrote to acting CISA director Brandon Wales. “It is our understanding that CISA is currently developing the analytical framework that will help guide how risk judgements are considered by the FASC. As a member of the council and the designated information sharing agency of the FASC, it is incumbent on CISA to ensure that all recommendations take into account the wide range of potential attack vectors to the supply chain. Recent revelations about the cyber campaigns against SolarWinds and other entities have reinforced the foundational importance of secure software for overall information and communications technology (ICT) supply chain risk management. Accordingly, specific attention should be given to software assurance and software development lifecycle considerations as part of the analytic framework behind FASC recommendations.”
The FASC has been more than two years in the making. President Donald Trump signed the Federal Acquisition Supply Chain Security Act of 2018 into law as part of the Secure Technology Act. The council finalized its strategic plan, its charter and issued an interim rule detailing how it will share supply chain risk information and recommendation removal or exclusions of specific products or technologies.
Katko asked for CISA to give the committee its timeline to operationalize the information sharing framework no later than Feb. 1.
His letter also demonstrates the need for the FASC, CISA and many others around government to move more quickly to address supply chain challenges.
A Government Accountability Office report from December shined a brighter light on this issue of doing something rather than just talking about it.
Of the seven best practices to protect the technology supply chain, GAO says few of the 23 civilian CFO Act agencies implemented them.
“[T]he potential exists for serious adverse impact on an agency’s operations, assets and employees. Nevertheless, the majority of the 23 agencies had not implemented any of the seven selected foundational practices for managing ICT supply chain risks,” GAO stated. “These practices included establishing executive oversight of ICT SCRM activities, developing an agencywide SCRM strategy, and establishing a process to conduct agencywide assessment of ICT supply chain risks. Among those agencies that had implemented any of the practices, none had fully implemented all of them.”
Boyens and others say while agencies are taking steps in the right direction, the government needs to implement key practices and principles to make progress more quickly.
NIST is outlining those eight key principles in a new publication NISTIR 8276. Boyens said he expects NIST to finalize the document in the next two to three weeks as it’s currently in the formal NIST review process. The agency released the draft 8276 for comments in February 2020.
He said among the key principles NIST will include are recommending agencies establish a former SCRM program to help decide which requirements will flow down to which suppliers, how best to assess and monitor the supply chain and create relationships with and manage key suppliers.
“Sometimes a lot of the political and economic aspects get into SCRM and blurry the water a little bit, which is why trustworthiness is so important. Do I have a level of confidence that makes me think the other entity is trustworthy,” Boyens said. “A lot of that can be basic due diligence. How does the business conduct itself? Are they reliable? What are the confidence building mechanisms we can use? We rely heavily on standards and conformity assessment procedures to get us to that confidence level.”
NIST also will release the updated draft Special Publication 800-161 for supply chain risk management in the next month or two. The agency hasn’t updated the publication since 2015.
“In that publication, we are putting in key practices for cybersecurity aspects of supply chain risk management from a government perspective,” he said. “It’s mostly likely going to have a lot of aspects of NISTIR 8276, but it will be tailored to the U.S. government and our constraints.”
Boyens said it’s clear agencies can’t be 100% sure that they are receiving a trustworthy system. Instead, agencies need to make sure they are resilient and continue mission functions in the event of a breach.
“System security engineering is a key component to that, building resilient architecture and systems. That is where a lot of this is fundamental in cyber supply chain risk management,” he said.
CISA also has been active in the supply chain risk management space through its ICT Supply Chain Risk Management Working Group, which released its year two report in December highlighting six initiatives it worked on during 2020.
Among its deliverables in 2020 were the creation of a vendor SCRM template, which are a standardized set of questions to communicate ICT supply chain risk posture and analyze comparative risk among all types and sizes of organizations, to enable increased transparency in managing ICT outsourcing risks, and a threat evaluation working group. That committee conducted an assessment of threats to and from products and services, evaluating those threats with a scenario-based process. It also created a risk and mitigation resource by leveraging threat groupings and applying the National Institute of Standards and Technology Risk Management Framework described in NIST SP 800-161.
Bob Kolasky, the director of the National Risk Management Center at CISA, said at the FCW event that the task force will release its second version of the threat evaluation guide in the next week or two.
“The task force identified a couple hundred reference threats to the supply chain, including exploitation, physical and cyber threats,” he said. “The guidance will serve as a reference for risk managers so they can identify where their priority threats are and match them with vulnerabilities to their systems.”
He said government, industry and others downloaded version one of the guide 14,000 times in the year since the task force released it.
Few would argue that working groups and guidance aren’t important and help lay the ground work for good work, but agencies and industry should know what the problems are by now when it comes to supply chain risks and should start fixing them.
When it came to federal acquisition policy, the four years of the Trump administration could be considered a time of Laissez-faire.
There were only four acquisition memos signed off by the director of the Office of Management and Budget that didn’t deal with the COVID-19 pandemic in the past 48 months. Sure acquisition was part of many, if not all, of the technology memos and the data strategy memos, but those that addressed federal procurement and only federal procurement, were few and far between.
Along with those four OMB memos, the Office of Federal Procurement Policy issued five other memos, including three in the last month, which directed agencies to take specific steps to improve federal procurement.
In all, that’s nine memos in four years or 2.33 memos a year, which equals not a lot of oversight or changes to the federal acquisition process from a governmentwide and OMB level.
Now that doesn’t mean the federal acquisition process has been stagnant for four years. We all recognize there has been plenty of change, with the continued rise of other transaction agreements, the successes during the pandemic and the continued push for innovative approaches like reverse industry days and the use of robotics process automation to reduce manual or tedious processes.
This is why it’s significant that in his waning days as administrator, Michael Wooten, who joined in August 2019 as OFPP administrator, signed out three memos, including one to further drive one of his key initiatives — reducing acquisition timelines.
“This memorandum takes an important step toward measuring the timeliness of federal procurements by establishing a common definition of ‘procurement administrative lead time (PALT)’ and providing guidance on steps agencies should take to reduce PALT in their acquisition activities through modern business practices that shorten the time from the identification of need to delivery of value,” Wooten wrote in the Jan. 11 memo. “By measuring PALT and addressing areas of friction, the federal government will continue to build on prior actions to more effectively steward the use of American taxpayer dollars.”
Along with the PALT memo, Wooten signed out another one on Jan. 7 to reinforce the idea that they should limit how they require educational certifications and licenses instead of just accepting stated skills when buying IT services and other types of services.
“Focusing on desired competencies to achieve stated outcomes, rather than imposing degree requirements, helps to break down barriers to entry and promote effective competition by giving prospective government contractors the flexibility they need to build a team with the best suited personnel to address an agency’s requirements. This flexibility is especially important for those small businesses that may otherwise lack the resources to participate in competitions for services if their existing employees do not meet the educational requirements and deprive taxpayers of the resourcefulness and ingenuity that these small businesses could bring to the federal marketplace,” Wooten wrote. “In addition, by avoiding reflexive use of educational requirements, agencies can also realize significant savings and cost avoidance while still getting access to the critical skills they need.”
Wooten issued a third memo on Oct. 30 reminding agencies to take steps to increase the participation of people with disabilities in federal contracting, specifically by awarding more contracts to companies under the AbilityOne program. The memo states agencies spent about $4 billion with AbilityOne contractors in fiscal 2019.
While two of these memos are just good reminders, addressing the timeliness of acquisitions has been a priority for Wooten.
“I think [PALT] is a powerful management tool that we should use to examine our performance, to examine the performance of our systems and look for ways to improve the systems. It is not a bludgeoning tool to be use to whip the workforce to get product out faster,” Wooten said at the National Contract Management Association Government Contract Management Symposium in December. “We need to look at this as a measurement of the system and the effectiveness of the system.”
The memo finalized the definition of PALT — “[T]he time between the date on which an initial solicitation for a contract or order is issued by a federal department or agency and the date of the award of the contract or order” — and provides guidance to promote consistent application across agencies.
Wooten said the definition and use of PALT is a good first step toward improving the acquisition process.
“There is a lot of important work that goes on before you even start the PALT clock. We must not ignore that,” he said. “There are some agencies who already are measuring that and should continue to measure that. The whole point of frictionless acquisition is reducing the time between identifying a need and saying I’ve now received those goods and services.”
As a part of the frictionless acquisition cross-agency goal under the President’s Management Agenda, OFPP says in its fiscal 2020 fourth quarter update that the next step after releasing the definition is to capture and baseline data to create a common benchmark to improve agency processes.
OFPP set a goal for agencies to complete 90% of routine, non-major acquisitions and 80% of complex major acquisitions within a timeframe comparable to private sector averages or benchmarks of leading state and local governments or federal agencies by 2025.
“PALT can help to drive continual process improvement and the pursuit of more innovative procurement practices, especially when the data are used in combination with other inputs for evaluating the overall effectiveness of the acquisition process in delivering value to the taxpayer, such as cost and the quality of the contractor’s performance,” the memo stated. “As agencies evaluate PALT, they should consider the growing list of proven business practices and technologies that agency acquisition innovation advocates (AIAs) and industry liaisons have been promoting to reduce friction across the acquisition lifecycle. This includes using more innovative and less burdensome processes for conducting acquisitions, leveraging technology to modernize operations and help the workforce move from low to high value activities, and taking advantage of modern ‘high definition’ data analytics to support smarter buying decisions.”
Wooten’s memo includes a four-phase approach to reduce PALT as well as 17 agency examples of strategies to reduce lead time.
Of course, the PALT varies depends on what agencies are buying.
Soraya Correa, the chief procurement officer at the Department of Homeland Security, said she believes the clock starts when a program office says “I think I have a need” and the contracting team starts engaging with the program office.
“The other step in this is how we do our market research. Is market research merely going online and seeing what contractor did this before or is it, maybe, going out to industry with this problem statement and say, ‘Tell us about this. How do you do this? How do you evaluate this?’ All too often we are hesitant to go talk to industry and a lot of times they have good answers, and by the way, if they have input into that solicitation, I think it helps us,” she said. “I think it helps us do a better solicitation and possibly helps us when we get to the debriefing and that all-dreaded protest phase because we would’ve had good industry input and hopefully we will learn from it. So when I think about PALT, I think about moving that dynamic to the left.”
This acceleration doesn’t mean a lack of rigor either. Wooten and others say the goal of PALT, under the Frictionless Acquisition initiative, is all about removing the tedious processes that have become barnacles to the procurement process.
For decades, the federal government received a bad rap when it came to innovation. The perception of the government always trailing the private sector seeped into the entire culture of the federal community, from political appointees to employees to contractors.
In fact, early on during the Obama administration a senior official on the technology and management speaking circuit kept deriding the “state of federal IT.”
The official talked at conferences and events about how far behind agencies were in implementing the latest and greatest IT of 2010.
Now 11 years later, that same official, who works with the incoming Biden administration, may be surprised about how much has changed.
A new survey of federal chief information officers and interviews with agency technology leaders show the IT and innovation gap between public and private sector organizations has closed significantly, and because of the COVID-19 pandemic, agencies are enjoying the taste of new technology more often.
“Agencies are getting better at adopting new technologies, which in turn contributes to enabling the workforce as well as an increased ability to deliver on the mission,” stated the survey of federal chief information officers by the Professional Services Council and Attain. “Core services, business and mission are more interconnected, as are agencies and the citizens they serve. People inside and outside of the government IT community are paying more attention to technology as they see the value it offers. One respondent felt strongly that IT is viewed as a ‘go-to organization’ within their agency. Through innovation and change management, technology has transformed how people are working. That individual reiterated a comment made when discussing modernization, saying that government needs to move in the direction of innovation initiatives, adding that people are looking for more innovation.”
PSC and Attain interviewed 11 agency CIOs and other federal technology leaders between July and October 2020 about seven broad topics including the state of IT modernization, cybersecurity, the workforce and the pandemic.
Simon Szykman, the chief technology officer at Attain, said government may never move at the rapid pace of the private sector, but they are not lagging like they once did and are catching up more quickly than ever before.
“I think in the past there was a challenge of re-skilling the federal workforce that may have had skills that weren’t leading edge. I’m not sure the reskilling challenge has been solved, but the ability to bring new technologies in the form of knowledge that’s brought in with new people seems to be happening more readily than in the past. Maybe it’s something as simple as that retirement wave is starting to happen and creating room to hire new people, which is always a challenge,” Szykman said.
The people that Szykman may be referring to are those that came in with the U.S. Digital Service, the Presidential Innovation Fellows program and the General Services Administration’s 18F organization as well as the push by the Office of Federal Procurement Policy to emphasize modernized acquisition initiatives.
While USDS and 18F were far from perfect during their first five or so years, their long-term impact on promoting innovation, new ways implementing IT and upskilling federal employees is clear.
The other reason, Szykman said, that came through in the survey, and buoyed by the pandemic, is the improved relationship with industry.
“I think the government is becoming more effective at learning about these technologies, what they can do and what they want to do with those technologies to really leverage the private sector capabilities,” he said. “The private sector capabilities are more agile, you can bring in new skills more quickly, and you can swap people with one skillset out for people with another skillset so there is a level of agility that the contracting ecosystem brings. I feel like the government is now capitalizing on that more effectively than they had in the past and part of the reason is the good working relationship between government and industry.”
One example of that is the recent contract award by the General Services Administration to NCI Information Systems. The $807 million contract will support GSA’s Office of Digital Infrastructure Technologies (IDT) with technical expertise to move the government closer to industry leading practices in IT modernization, improving access and quality of services to internal customers and reducing delivery costs, according to a GSA spokesperson.
Erika Dinnie, the acting associate CIO for digital infrastructure technologies at GSA, said at a recent ATARC event that GSA constructed the contract differently than in the past, when it was a traditional support contract.
“This is designed to push down our operational costs and partner with our new contractor to introduce some of these innovative ideas and move to a digital organization and introducing innovation like artificial intelligence and robotics process automation (RPA),” she said. “We will be designing digital personas, for example, and using AI to develop those personas so we can get into predictive analysts so we can predict that some of the actions we are taking might result in these two or three options. It will help us make better decisions.”
GSA says it will use the contract to employ modern methodologies that introduce better alignment with our customer’s business needs and priorities in order to deliver business value and innovation.
Rick Holgate, a former CIO for the Justice Department’s Bureau of Alcohol, Tobacco, Firearms and Explosives and now a senior executive partner for the public sector at Gartner, said the pandemic provided CIOs and others the “courage” not to be so risk averse.
“Zoom, the Defense Department’s Commercial Virtual Remote (CVR) and many others were so urgently needed that endless foot-dragging and hand-wringing became impossible,” Holgate said. “The end-user expectations and pressure have become so intense as to be unavoidable and undeniable. Largely virtual/remote organizations have become a new normal in government agencies, operating much more akin to private-sector analogs; office space downsizing and reconfiguration is actively happening, rebalancing the portfolio of physical space and enabling technology.”
The incoming Biden administration seems to want to pick up on this innovation theme. President-elect Joe Biden’s pandemic relief proposal seems to have the handwriting of former members of 18F and USDS all over it. Among the things it includes is $200 million for the Information Technology Oversight and Reform (ITOR) fund to help rapidly hire hundreds of cyber and engineering experts to support the federal chief information security officer and U.S. Digital Service.
But unlike what happened when the Obama administration took over where they set up 18F and USDS to address systemic IT challenges, the combination of time and the pandemic has moved the needle for agencies and for the Biden technology leaders.
David Shive, the GSA CIO, said at the ATARC event that while there is plenty still to do the IT, the innovation gap clearly has closed.
“I spend lot of time with private sector CIOs. When I’m talking with them and I talk about the GSA experience, it is more often for me to hear from them, ‘Wow, you are light years ahead of us,’ than it is not,” Shive said. “Now, it depends on the type of organization you are talking to. If you are talking to Mary’s plumbing shop, then we are light years ahead of them. If you are talking to Google or someone like that, then probably not. But by and large, when I’m talking to Fortune 100 company CIOs, there is certain parity with what government is doing, many of the issues that we face are similar and many of the successes that we had in government, those CIOs are still trying to solve within their organizations.”
When it comes to federal procurement, the General Services Administration takes no off days.
While the GSA’s Federal Acquisition Service employees will never be mistaken for elite athletes — where this concept of no days off comes from — they aren’t wasting any time setting up 2021 to be a busy year for contractors and for new governmentwide acquisition contracts.
In the span of two weeks, GSA released the draft solicitation for Polaris, the small business GWAC to replace the debacle that was Alliant 2 Small Business as well as two requests for information — one for artificial intelligence and machine learning capabilities, and one to develop a new professional services vehicle.
These initial pieces of market research or acquisition strategy planning come as GSA already is reviewing bids for spots under the 8(a) STARS III GWAC and the ASTRO program. GSA expects to make awards for both of these programs in spring 2021 or thereabouts.
“We are looking at fiscal 2021 at being the year where we see some big awards,” said Laura Stanton, FAS’ assistant commissioner for the Office of Information Technology Category, during a recent event sponsored by ACT-IAC. “In fiscal 2020, the IT category facilitated more than $30 billion in annual government spend. We still are wrapping up those year-end numbers, but it represents the trust the federal agencies have put in us, the customer service, the support is reducing the procurement action lead time, innovation and data transparency and all of the things the agencies put their trust in ITC to make that happen. Out of that, we also provided more than $2 billion in savings and cost avoidance for the customers of ITC alone.”
Just for comparison, in 2019, the IT category saw about $26.5 billion in spending, which means FAS saw a 15% growth rate.
“Some of the growth in 2020 is likely from COVID and some of it is from use of best-in-class contracts and spend under management,” Staunton said.
Polaris, 8(a) STARS III, ASTRO and several other initiatives like the commercial platform, the 2GIT vehicle and OASIS with all the new vendors are slated to gain momentum in 2021 means GSA will continue to capture more of the market.
There are several interesting aspects to the Polaris draft request for proposals starting off with its use of the Section 876 authority. GSA is not using price as an evaluation factor at the master contract level, meaning price only matters for each individual task order.
Driving competition down to the task order level has been a key priority for out-going Administrator Emily Murphy during her tenure. With ASTRO first and now with Polaris, it seems the tide is starting to turn.
Another factor in Polaris is its call out of the Cybersecurity Maturity Model Certification (CMMC) standards. While the GWAC doesn’t require CMMC certification, GSA is asking vendors to become accredited.
Keith Nakasone, the deputy assistant commissioner for IT Acquisition in FAS’ ITC, said at the recent ACT-IAC event that vendors must move from self-attestation to a more rigorous review of components and parts.
“We are embedding the language in the GWAC. The level of certification will come in at the order level, meaning vendors don’t have to be certified at the master contract level. It’s going to be based on the orders that come through the GWAC,” he said. “We included the CMMC language within the master level so it’s within scope. At the order level, agencies can add additional requirements for levels 1-5 depending on their mission requirements. We want to leave that flexibility in the mission program and learn over time alongside with the Defense Department.”
GSA’s goal with Polaris, which has no maximum dollar ceiling, is to promote innovation through the seven technology performance areas that include cloud, cybersecurity, data management and software development.
“The contractor should approach agency task order requirements with technical proposals offering innovative solutions that leverage the flexibility provided by the master contract,” the draft RFP stated. “The choice to align the master contract scope with Technology Business Management (TBM) [standards] and the definitions of IT allows for the adoption of new technologies and innovative solution approaches as they evolve over the life of the contract. The government also encourages the contractor to continuously prospect for and establish strategic relationships, especially with innovative small businesses, to meet this objective.”
Polaris plans to make awards to three pools of vendors — small businesses, women-owned small businesses and Historically-underutilized Business Zone (HUBZone) small firms. Comments on the draft RFP are due by Jan. 29.
Innovation seems to be a common theme across GSA acquisition efforts.
The AI/ML RFI is asking product and service vendors for feedback on current capabilities, contracts already offering these technologies and agencies or sectors that already are using the products or services.
“We are taking these forward leaning approaches so that we can adopt technology as well as provide what we know today and inject future technology moving forward,” Nakasone said.
Responses to the RFI are due Jan 29.
“We are keeping technology offerings that work currently on GWACS, but we are making some tweaks to emphasize emerging technologies like AI, edge computing and ‘anything as-a-service’ so customer agencies can tap into the small companies that provide these expertise to drive further IT modernization and improve service delivery,” said Allen Hill, the acting deputy assistant commissioner for category management in FAS.
Finally, the new professional services effort may not be considered a formal RFI, but FAS is working with ACT-IAC to hold listening sessions with vendors in early February.
“The next generation services IDIQ will seek to combine features such as unpriced master contracts, small business set asides, vetted and open enrollment with all order types including firm fixed price, cost-type, time and materials and hybrids into one centrally managed, user friendly structure,” GSA wrote in a fact sheet. “The goal is to complete an acquisition strategy that achieves the outlined objectives for this new contract program by fiscal 2021 end. After the acquisition strategy is completed our plan is to issue the solicitation in fiscal 2022, with awards and contract use beginning in fiscal 2023.”
Tiffany Hixson, the assistant commissioner for the professional services and human capital categories at FAS, said at the recent Coalition for Government Procurement conference, that this effort is part of a new services marketplace will bring together several different work streams.
She said there are three goals:
“The OASIS ordering period expires in 2024 so we are asking ‘what’s next?’ We will be talking to the federal acquisition community and industry about what that next is. We are beginning our formal market research and planning for what the next generation contract and best-in-class contract will be in government,” Hixson said. “Internal to the organization, we are formally establishing a collaborative community with in FAS so we are working on services contracts more holistically and thinking about how to better provide those services contract needs.”
Professional services is among the largest growth areas for FAS. Hixson said usage of all services contracts under her portfolio grew 9.5% year over year, which meant $1.78 billion more sales in 2020. She said the biggest drivers were schedules contracts growing 11% and OASIS, which increased by 7% over 2019. Schedules sales outpaced OASIS for the first time in the last few years.
“Our five-year growth for all contract programs and that includes the human capital services programs, including HCATs and schedules, has been 60% over the last five years. In 2016, it was about $13 billion in business volume and in 2020, we had $21 billion in business volume,” she said. “For us, while the number is big, the important part of that message is our contracts are meeting the needs of the federal community.”
GSA is starting at the right place by listening and learning from its federal agency and industry customers because OASIS and the schedule contract for services have been highly successful so the goal is to make them better, not just mess with a good thing.
Seven agencies will be looking for new chief information officers next week.
The departments of Homeland Security, Defense, Housing and Urban Development, State, Transportation and Veterans Affairs, as well as the Social Security Administration, will be saying good-bye to their politically-appointed CIOs. So too, will the Office of Management and Budget where Basil Parker, the federal CIO, and Camilo Sandoval, the federal chief information security officer, also will be exiting after a short tenure.
Rajive Mathur, the SSA CIO, left in October, but the last day for the others is expected to be Friday, according to government sources familiar with the expected changeover.
Stuart McGuigan, the State Department’s chief information officer, told staff on Monday that he is leaving on Jan. 20.
State confirmed McGuigan is leaving.
“Mr. McGuigan leaves behind a legacy of leading the department’s worldwide information technology transformation during the COVID-19 crisis, enterprise architecture, cybersecurity management, IT service delivery and talent management, to name just a few,” said a State spokesperson in an email to Federal News Network.
He has been CIO since March 2019 after Secretary Mike Pompeo appointed him to the position. Before coming to State, McGuigan spent his career in the private sector with companies such as Johnson & Johnson, where he was vice president and CIO, and CVS Caremark.
McGuigan is one of the few State CIOs who hadn’t previously worked at the agency either in the technology office or as a Foreign Service officer.
During his time at State, McGuigan led several initiatives including the reorganization of how the agency oversees cybersecurity, moving toward an agile approach to software development and adding more rigor to the IT review process.
State has a $2.6 billion IT budget in fiscal 2021, up from $2.4 billion last year. The Federal IT Dashboard states 81% of State’s projects are on schedule, but only 56% are on budget.
The other CIOs who are leaving by Jan. 20 include:
David Chow, HUD: Joined in August 2018, making him one of the longest serving political CIOs. Chow led HUD’s partnership with the IT Modernization Centers of Excellence and took advantage of the Technology Modernization Fund (TMF) loan to address long-standing legacy challenges.
Ryan Cote, Transportation: Joined in March 2019 and picked up the “big hairy audacious goals (BHAG)” of IT modernization that his predecessor, Vicki Hildebrand, launched. Cote said he focused on consolidating networks and improving the overall architecture, and consolidating about 1,700 web applications into a single platform.
Dana Deasy, DoD: Joined in April 2018, Deasy inherited the JEDI cloud program that remains mired in delays and protests. Despite his inability to get JEDI moving, he found success in creating several new strategies for digital transformation, identity and access management, and for data management. Most importantly, maybe, Deasy ensured the military services and defense agencies could telework during the pandemic, developing and launching the Commercial Virtual Remote (CVR) to support 250,000 remote workers a day.
Karen Evans, DHS: Became CIO in May, focusing on network modernization and security center operations upgrades. Evans also helped DHS thrive during the pandemic by expanding the virtual private network and implementing collaboration tools.
Jim Gfrerer, VA: Joined VA in January 2019, focusing on IT modernization, especially during the pandemic where he upgraded network capacity and addressed the challenges with the Trusted Internet Connections (TIC) requirements.
The CIOs aren’t the only federal executives on the move.
Ken Bible is the new chief information security officer at DHS, coming over after spending the last five-plus years as the deputy CIO for the Marines Corps. He replaces Paul Beckman, who left in January 2020.
Also over at DHS, Daniel Kroese, the acting deputy assistant director of the National Risk Management center at the Cybersecurity and Infrastructure Security Agency, left to become the new staff director for the Republicans on the House Homeland Security Committee.
Kroese came to CISA in 2018 to help launch the center from Rep. John Ratcliff’s office where he was chief of staff.
“[I] couldn’t be more excited to start this week as staff director on the House Committee on Homeland Security for Ranking Member John Katko (R-N.Y.). From cybersecurity to border security to counterterrorism and emergency preparedness – these are incredibly important issue areas where the country demands professionalism,” he wrote on LinkedIn. “Thank you to the dedicated men and women of the Cybersecurity and Infrastructure Security Agency for your friendship and partnership these past three years. It was an honor to work for great leaders like Christopher Krebs and Bob Kolasky. The fight continues, and I’ll see you on the other side.”
Oki Mek is inaugurating a new CXO position over at the Department of Health and Human Services. Mek, who has been with HHS for 10 years, is the new chief artificial intelligence officer (CAIO). Previously, he was the senior advisor to the CIO working on Reimagine HHS and the chief technology officer in the acquisition office.
While State is losing its CIO, it has gained a chief data officer. State named Matthew Graviss as its first permanent CDO. He previously served as the CDO at the U.S. Citizenship and Immigration Service in the Department of Homeland Security.
NOAA also lost a key technology executive. Roy Varghese, the NOAA Fisheries CIO, took a new job with the Administrative Office of the U.S. Courts as the chief of the case management system office. He had been the NOAA Fisheries CIO since 2017 and with the agency since 2009.
“This job has been the best job of my life. That’s because the people I worked with became my close friends, the work I was doing was challenging and creative, and I am passionate about the environmental stewardship mission of NOAA. However, the most important reason why I loved NOAA was because my colleagues made me feel like I belonged there throughout my career,” Varghese wrote in a post on LinkedIn.
Earl Warrington, who spent more than 30 years in government, retired from the Small Business Administration where he was an IT program manager since July 2019. Warrington also worked at GSA for 18 years.
“New Year’s Eve, I concluded my 30+ year career with federal government. I want to thank the thousands of customers, industry partners and fellow government teammates and strategic partners for your support and trust over these many years,” Warrington wrote on LinkedIn. “It has been an honor and a privilege to serve and help to make a difference in the public sector on many presidential initiatives and agency mission objectives. These technologies and solutions have made such a positive impact on people’s lives. I have been blessed to work for incredible leaders; be a part of successful teams; and most of all to lead so many dedicated, smart and passionate people committed to excellence. Thanks for the ride and the drive. I’ll always be proud to have been a civil servant :-) Looking forward to my next adventure helping the private sector with their goals and mission to support government.”
Warrington said he will continue working as the director and co-founder of Government Sales and Consulting LLC.
On a sad note, John Garing, the former director of strategic planning and information at Defense Information Systems Agency, a retired Air Force colonel and an executive in the White House Communications Agency, passed away on Jan. 6. He was 78.
After leaving federal service in 2010, Garing worked at Suss Consulting and for Vion Corporation before retiring full-time in 2017.
According to the Washington Post obituary, a funeral mass will be held 10 a.m. Tuesday, Jan. 12 at St. Bridget of Ireland Catholic Church, Berryville, Virginia. Burial will be at a later date at Arlington National Cemetery. The family asks in lieu of flowers, please make a donation to Wounded Warriors Project.
If you got the odds the Government Accountability Office is giving vendors on bid protests in Las Vegas, you’d be rich and famous, and probably under investigation by the FBI for insider trading.
Imagine winning 51% of your bets on sports games or horse races? Those are the odds GAO is giving contractors who submit a protest to their office.
New data in GAO’s fiscal 2020 report to Congress on bid protests shows that vendors received some sort of corrective action 51% of the time.
“The reasons agencies take corrective action are diverse, but certainly they are over worked and understaffed so they have less time to follow protests through. I think they see corrective action as way to dispense with a protest and give contractors some relief,” said Eric Crusius, a procurement lawyer and partner with Holland and Knight. “With all the money flowing through the government because of the pandemic, protestors are able to find reasons to protest more frequently. As money leaves doors more quickly, there are more opportunities to find mistakes made by agencies. We’ve seen a lot more corrective action over the last year to the point where I’m almost surprised when it doesn’t happen.”
GAO says the effectiveness rate, which measures how often an agency takes corrective action or the protest is sustained, jumped to 51% from 44% in 2019 and 2018, respectively. The agency says the sustain rate is 15%, which is up from 13% the year before too.
Shane McCall, the managing partner of Koprince Law, said he sees agencies making decisions about taking corrective action fairly quickly after the contractors file the complaint, especially if GAO rejects the government’s dismissal request.
“Sometimes you worry they will take corrective action to blunt the attack of the bid protest but it may not address the root problem,” McCall said. “Sometimes you’d wish it would go to decision versus having to file the same protest even after corrective action.”
Just looking at some of the high-profile acquisitions in 2020—the Defense Department’s DEOS and JEDI and the General Services Administration’s 2GIT, to name a few—the agencies didn’t take the protests to decision and decided to correct flaws in their evaluations or solicitations. Now not all corrective action means vendors get the changes they sought and many can point to agency corrective actions that never breached the surface of the problem.
Crusius said this may be because agencies are taking a path that is less risky so as not to have to pay attorney’s fees if a protest goes to a hearing or even alternative dispute resolution (ADR).
GAO said ADR was another growth area in 2020. The number of cases using ADR jumped to 124 last year from 40 in 2019 and 86 in 2018, respectively.
Rob Burton, a former deputy administrator in the Office of Federal Procurement Policy and now a partner with Crowell and Moring, said GAO has been pushing ADR aggressively and encouraging examiners to engage in more of it.
“What’s not good about ADR is you don’t get a written opinion for precedent. A lot of clients would prefer to have more formal resolution of matter,” he said. “But ADR generally is pretty good with an 82% success rate, which means both parties resolve cases to their satisfaction.”
Basically, the odds that a protest will be successful in some way are greater than at any time in the last five years.
Barbara Kinosky, the managing partner of Centre Law and Consulting, also pointed out that GAO said in the report to Congress that all agencies followed their recommendations. This is the first time this has happened in years as well.
“I do think we will see the effectiveness rate continue to increase,” Kinosky said. “Part of the reason is we are all working from home and the extra hours in the day give people the opportunity to look at records in more detail and they were more able to pick up things like ambiguities or potential problems in procurements.”
At the same time, however, the number of protests dropped for the second year in a row. Burton and other experts say there are several reasons for the decrease.
“Part of the reasons for the number of protests dropping is DoD’s task order threshold went to $25 million from $10 million in 2019. I think this did have an impact because it was a big jump for DoD and more and more work is going through task orders,” Burton said. “Agencies also are doing more enhanced briefings as required by the 2018 defense authorization act. That obviously can’t hurt, and as more agencies do good debriefings, the number of protests will go down.”
Paul Debolt, the chairman of the government contracts group at the Venable law firm, said enhanced debriefings help vendors understand agency decisions and addresses long-standing problems of not doing a good job articulating the award rationale.
“A lot of the questions are focused on concerns they have about the initial information about why the agency made the decision they did,” he said. “As long as the agency is thorough and relatively transparent in award decision there are a lot of companies who decide not to protest. The other thing that factors in to a protest is whether the disappointed offeror is the incumbent. Based on my experience, if a company is the incumbent and the contract is significant enough, they will look pretty hard at filing a protest. But if an incumbent didn’t get the award and the agency can articulate their reasonable basis, many will walk away and not throw good money after bad.”
The other data point to note is the 15% increase in the number of task and deliver order protests to GAO last year.
Legal experts couldn’t point to a specific reason for the increase, other than agencies are spending more money through multiple award and governmentwide acquisition contracts than ever before.
Crusius said the reason these types of protests haven’t increased even more dramatically may be because vendors have an ongoing relationship with agencies under these types of contracts and they don’t want to sour it.
Finally, one last data point from Crowell and Moring’s Burton.
He pointed out that GAO held hearings for just 1%, or just nine cases, out of more than 2,149 cases filed in 2020. That is way down from 2011 (8%) and 2009 (12%) when many more cases received hearings.
“I think this shows the bid protest process is pretty much a paper process, a review of paper records. I’m not sure if GAO just doesn’t feel like they need oral testimony and can just make a decision based on the administrative record,” Burton said. “It’s only in complex cases and usually something that has to do with cost and price that GAO thinks hearings would be beneficial. I think there are plenty of cases where live testimony has a role to play. The analogy I would use is in the civil or criminal court system. They seem to understand the value of having testimony and witnesses. I’m not sure why GAO is different in that regard.”
When it comes to federal technology and procurement, 2020 will be remembered for many things, but maybe most prominently it was the year telework became the norm and not some luxury of a few forward-thinking agencies.
The year that is almost over also proved urgency and emergency can drive agencies and vendors to get hardware and software in place in record time and within federal rules.
Even if we put the COVID-19 pandemic aside for a second—if we can—2020 raised the cybersecurity stress level of agencies and contractors alike more than at any time over the last five years given the recent SolarWinds cyber breach and the rollout of the Cybersecurity Maturity Model Certification (CMMC) and supply chain risk management efforts. The Homeland Security Department’s decision to relax the burden of the Trusted Internet Connections (TIC) requirements as agencies put more applications in the cloud was one of the few welcomed reprieves.
The year also marked the continued rise of cloud services, the increased use of DevSecOps and agile development and everyone was talking about artificial intelligence, machine learning and 5G as they were darlings of the community.
I asked a panel of experts for their take on 2020 around federal IT and procurement.
The panelists were:
Biggest technology and procurement stories of 2020
Miller: The Cloud Smart strategy set the stage for agencies to better envision the path to cloud adoption as a means to IT modernization. It shifted the conversation from counting data centers to use of emerging technology to support mission enhancement. Unknowingly, this ultimately set the stage for the successes we saw supporting the pandemic.
Jackson: Everything this year was centered around COVID-19. OMB updated its guidance on telework flexibilities in M-20-13, M-20-15 and M-20-19 – all accommodations designed to support broader telework and mission continuity in response to COVID-19, accelerating agencies down the path towards network enhancements, collaboration tools, cloud/platforms and heightened cyber awareness. Prior to COVID, many federal agencies had telework capacity that didn’t support access to capabilities required by the entire workforce. Updating the telework guidance sets the government up to be more aligned with commercial industry’s use of telework. This type of private/public sector parity can accelerate the pace of transformation for the government.
Kent: Although OMB M-20-19, Harnessing Technology to Support Mission Continuity did not introduce any new capabilities, it allowed agencies to prioritize and promote capabilities that were already available, eliminate adoption friction and maximize agency use in ways that further expanded technology and digital tools during the pandemic. This was a proof point of the importance of having clear priority directives from the top of agencies and supporting agency adoption of capabilities.
Hettinger: In my world, the most important OMB policies this year revolved around the response to the pandemic. OMB memos M-20-15 and M-20-16, which provided guidance for federal employees around expanded telework, M-20-18, on managing contract performance during the pandemic and most importantly, M-20-19, which called on federal agencies to harness technology to support the mission as employees and contractors moved to a work-from-home first posture. M-20-19 in particular was critical to adjusting the mindset and providing agencies with flexibility to acquire and leverage the tools they needed–like e-forms and e-signatures–to support remote work. The other key policy issued in response to the pandemic was the interim Trusted Internet Connections (TIC) 3.0 policy issued by the Cybersecurity and Infrastructure Security Agency (CISA). Like the OMB memos, the intent of this interim policy, which was really an offshoot of M-20-19, was to enhance the security of .gov networks against the backdrop of a massive surge in telework. The interim TIC policy has been instrumental in supporting secure remote work environments, enhanced virtual private networks (VPN) and virtual desktops as well as promoting zero trust environments.
Kent: Many have told me that the pivot to telework, teleservice and new product introductions (CARES Act-related) that moved quickly and performed well were a surprise…I was not surprised because it exemplified the great, often overlooked, work being done by agencies every day toward their strategic agendas. It demonstrated that they took action on cloud-supported solutions, modern email, electronic signature, digital citizen services, connected cybersecurity and scalable vendor solutions. It would be a massive failure for service quality, workforce experience and efficiency if the expansion and focus on these did not continue.
Hettinger: This is a tough question but I think I’ll have to go with JEDI. The fact that DoD stuck to its guns and kept this as a single award despite all of the protests and related legal action is pretty surprising. The easy way out would have been to rebid it, make multiple awards and let the vendors fight it out at the task order level.
Arrieta: I think the biggest surprise from my perspective was the speed with which OMB, HHS, White House Coronavirus Task Force, the Homeland Security Department, the Defense Department and the National Security Agency were able to respond to and drive the pandemic response once the policy direction was established. It is a testament to the training that the career workforce has received over the last five-to-10 years. For example, at HHS, the CIO function when I was the leader was able to fund some work eight hours after a large cyber attack, plan, negotiate and award a contract in less than 36 days, and implement a modern Managed Trusted Internet Protocol Services (MTIPs) fully in 119 days using a blended competitive process. Partnering with GSA, the HHS CIO and the contracting officer were able to drive a discount of over 70%. This is an example of the incredible planning and adaptability within the career acquisition and technology workforce at HHS.
Jackson: Beyond COVID, the biggest surprise was how quickly agencies were able to expedite procurements in support of telework capabilities. Federal procurement officers can learn from this success and embrace similar agile practices moving forward. The pandemic proved that it can be done. Now it can be standardized and used for non-crisis environments as well.
Miller: The speed of technology adoption to support a remote workforce during the pandemic. Agencies were creative, agile and responsive to mission needs. The typical procurement obstacles were not barriers to success. The move toward a cloud environment was already underway. Agencies were already looking at commercial solutions for email and collaboration that met our cyber security requirements. The pandemic made those efforts visible very quickly.
The Reporter’s Notebook started off as an idea to highlight all the tidbits and news nuggets that got lost or left out of a story.
It has, I’m pleased to say, morphed into what I hope is news analysis that not only highlights stories rarely covered day-to-day, but takes on well-known topics that make my audience think or reconsider their established positions.
It’s been eight years since I launched this feature and I still surprise myself nearly every week with how stories come together, the federal and industry experts and sources that provide me immeasurable support, insights and ideas that form the notebook and, hopefully have an impact on the three “Ps” of the federal government: Policy, people and programs.
As always, I encourage you to submit ideas, suggestions, and, of course, news to me at email@example.com. The 2018 top 10 list featured stories about change and turbulence in the federal IT and acquisition communities. In 2019, the top stories were more diverse with a mix of IT past, present and future.
In 2020, the top stories conformed to many of the most popular topics that played out across the government with three follow-ons from the previous year.
Here are the top 10 Reporter’s Notebook stories of 2020.
It’s a little surprising that this story was the most read of this year. It came together almost as an after-thought where the Cybersecurity and Infrastructure Security Agency (CISA)-issued use case was an interesting read. After talking to several experts, the story ended up revealing just how serious the cyber incident was for that unnamed agency. In retrospect and knowing what we do now about the SolarWinds cyber breach, it’s no surprise cybersecurity continues to drive the interest of readers.
The Defense Department’s cloud saga known as the Joint Enterprise Defense Infrastructure (JEDI) is the story that just keeps on giving. We wrote at least 17 stories about JEDI in 2020, and the epic doesn’t seem to have an end in sight. In this specific story, the IT Acquisition Advisory Council tried to convince lawmakers to do more to force DoD to rethink its approach to the single-award contract and follow the lead of the CIA. As we know, DoD leadership continues to hold on to JEDI strategy. It will be interesting if the new chief information officer coming into DoD under the administration of President-elect Joe Biden decides reconsider the JEDI program.
Nearly every agency chief information officer and many vendors love to talk about just how DevSecOps and the agile development methodology has taken over from waterfall. But when you look closer, as we did in this story, many agencies aren’t quite out of using the much-maligned waterfall development approach. This story highlighted three case studies from the Small Business Administration, the General Services Administration and the Education Department demonstrating that agile and DevSecOps are gaining ground. It’s just not as fast as many would like or contend.
DoD’s Cybersecurity Maturity Model Certification (CMMC) is probably the most talked about topic for vendors this year. The concern is about how the Pentagon will roll it out, when the third-party certifiers will be in place and which contracts will include the standards. While DoD has answered most of those questions by now, back in February Pentagon leaders were telling vendors not to spend money on CMMC quite yet — no matter what services providers told them what they can do. It’s not new for companies to try to take advantage of contractors looking to get ahead of a new program. What was interesting was DoD’s public warning of these scammers.
The interest in the CIA’s cloud contract known as C2E was always high among contractors, but the breaking news of the award seemed to resonate across the federal market. Maybe it’s because the CIA has been out in front in using cloud services when compared with most other agencies? Or maybe it’s because the C2E program often has been compared favorably to the DoD’s problematic JEDI program? Then again, it might have been the second half of the story about a contract award protest faced by CISA that drew the readers. It’s hard to say.
I wrote this story before the COVID-19 pandemic but it foreshadowed what was coming. Agencies and vendors complained for years that the Einstein intrusion detection, intrusion prevention software and the Trusted Internet Connections requirements made cloud services more cumbersome. This news highlights how the Department of Homeland Security finally was outlining a path to ease that burden and why it was such an important story in early 2020. And when the pandemic hit, DHS acted fast with a new remote working use case that brought TIC 3.0 to reality.
Of all the stories in the top 10, I was most surprised this one made it. But, I guess it goes to show you that readers appreciate the research and analysis of the IT and procurement policies in the annual defense authorization bill.
This story came from a Government Accountability Office graphic showing just how much acquisition funding was left to spend. While the graphic was a starting point, the real story evolved as DHS, the IRS and GSA began detailing new solicitations or draft requests for proposals that would make the federal fourth quarter a contracting bonanza.
This story was one of the few instances where GSA either miscalculated the reaction from industry or decided it was just the messenger of the bad news, but held little to no real authority to change the situation. All but shutting off the spigot for agency customers and 8(a) companies right as the fourth quarter of the federal fiscal year was about to start was inconceivable for many companies. The story continued to expand during the year as frustration grew among 8(a) firms and capped off a rough year for small firms working with GSA.
This was the fifth in a series of stories starting in July 2019 on the decision by the Department of Health and Human Services to shut down its assisted acquisition services. More than a year after the decision, this story continued to demonstrate the impact of what many called a horrible, vindictive decisions based on faulty logic. The follow-on story in November brought the saga to a sad conclusion where certain HHS leaders resorted to finding a scapegoat to rationale their poor decisions.
Federal chief information officers and chief information security officers didn’t get a lot of sleep last week, and may not for the foreseeable future.
CIOs and CISOs have spent a long week trying to get a handle on the impact on their networks, systems and data from the SolarWinds cyber attack.
After the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive on Dec. 13, the race was on to detect, mitigate and respond.
And when CISA followed up with an updated cyber alert on Dec. 17, the agencies had yet to begin to fully realize the depth and breadth of the attack.
“The SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged,” CISA wrote, “CISA is aware of compromises, which began at least as early as March 2020, at U.S. government agencies, critical infrastructure entities, and private sector organizations by an APT actor. This threat actor has demonstrated sophistication and complex tradecraft in these intrusions. CISA expects that removing the threat actor from compromised environments will be highly complex and challenging. This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks. It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures (TTPs) that have not yet been discovered. CISA will continue to update this Alert and the corresponding indicators of compromise (IOCs) as new information becomes available.”
So much for the holiday season as the SolarWinds cyber breach added to what many have called the dumpster fire that is 2020.
While the details of the cyber breach continue to emerge and the agencies impacted come to light, Congress and the incoming administration of President-elect Joe Biden are promising to make 2021 an even busier year for CIOs and CISOs.
“I want to be clear: My administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office. We will elevate cybersecurity as an imperative across the government, further strengthen partnerships with the private sector, and expand our investment in the infrastructure and people we need to defend against malicious cyber attacks,” Biden said in a Dec. 17 statement. “But a good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place. We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners.”
Add to that a growing number of House and Senate legislators who are calling on CISA, the FBI and other agencies to provide details about the extent of the attack on federal networks and systems.
“The [CISA] directive is not optional and mandates federal agency networks to remove the affected software components for the foreseeable future. While this initial protective step was taken and SolarWinds similarly issued a security advisory, Congress needs to be informed of the size, scope, and details of the cyberattack campaign’s impact on the federal government to appropriately respond to this risk,” wrote a bi-partisan group of six Senators from the Committee on Commerce, Science, and Transportation and the Appropriations Subcommittee on Commerce, Justice, Science, and Related Agencies in a letter to the FBI and CISA.
The lawmakers asked for answers to six questions and a briefing as soon as possible.
Not to be outdone, four Democrat leaders of the House Homeland Security and Oversight and Reform committees wrote to the FBI, CISA and the Office of the Director of National Intelligence on Dec. 17 seeking more details on the attack and impact on agencies.
“To that end, we ask that you provide our committee members with any damage assessments of this attack, including interim analyses, as soon as practicable,” the letter stated.
A day later, Sens. Rob Portman (R-Ohio) and Gary Peters (D-Mich.), the expected chairman and ranking member of the Homeland Security and Governmental Affairs Committee depending on how the special election goes in Georgia, pledged to “plan to hold hearings and work on bipartisan comprehensive cybersecurity legislation in the new year.”
Reps. Adam Smith (D-Wash.), chairman of the Armed Services Committee, and Jim Langevin (D-R.I.), chairman of the Armed Services Subcommittee on Intelligence and Emerging Threats and Capabilities, also released a statement promising to “continue to push cyber-and technology-related issues to the forefront of national security.”
Basically, CIOs, CISOs and other career executives will face a series of tough questions from Congress over the next year. The question is whether lawmakers and the Biden administration will ask the right set of questions.
A senior federal cyber official, who requested anonymity because they didn’t get permission to talk to the press, said the focus from the federal and Congressional leadership has to be around three areas: Why the cybersecurity approach continues to be faulty? What should the priorities of CISA really be? And how can agencies build better resiliency into their networks and systems given cyber incidents will only increase?
“The current way we are doing cybersecurity is broken and for anyone to say otherwise is mistaken. In many ways we were put on notice by the OPM hack and this one is worse just based on the breadth and depth we are seeing. To solve a problem you first need to admit you have one,” the official said. “DHS is trying to protect everything. It needs to focus on the things that are most meaningful. They have plenty of authority. You can surely argue they may not have enough resources or people, but then again no one does. It’s a matter of knowing protecting those things that can cause real death and harm in our society like the health or electric infrastructure. [It] also means we need to do better job of making it harder once the hackers are in the system, which means we make it hard to understand what is real and what is not. We’ve got to be creative and that’s where you use deception and honey pots. If there was some concern about going down that road before, we can’t have it any longer and we have to be more creative.”
For two former federal senior IT officials, both of whom requested anonymity because their current companies provide cybersecurity services to agencies, echoed that same line of thought, saying the question Congress should be getting to isn’t who to blame, but what can be done differently going forward.
Both former executives say agencies are in much better shape than in 2015 when the massive hack of the Office of Personnel Management came to light. But the SolarWinds breach is a different type of incident and requires a different discussion that both Congress and the Biden administration must lead.
“The fact we have multi-factor authentication deployed as widely as we do is just one sign that agencies are significantly more focused on cyber than in 2015,” said one former executive. “But I want to be clear, that doesn’t mean nation state actors who are interested in looking for and deploying zero days and custom written malware can’t get in the door. If they want to, they can get in the door against almost any defenses. So the question is how do agencies approach cyber defenses going forward?”
This brings me to an aside — stories by major, well-respected news organizations about the “failures” of DHS’ Einstein program are both sad and misinformed.
As someone who has followed Einstein since its beginning, it wasn’t designed to stop custom written code, malware embedded in patches and other unknown threats. It wasn’t difficult for the Washington Post or The New York Times to figure that out with a simple Google search. It’s poor reporting and at least some of their former government sources should’ve known better and explained the goals of the intrusion detection and prevention initiative.
Einstein is not perfect by any means, but the money spent to implement is not wasted in light of this attack.
Let’s return to the issue at hand. Agencies continue to face major problems in securing their data and systems despite the progress since the OPM hack. The current federal cyber official disagreed with the premise that agencies are better off since OPM. The sources said there may be some areas like the requirement to have multi-factor authentication and the use of continuous monitoring tools under the Continuous Diagnostics and Mitigation (CDM) program.
“DHS consistently asks for more. They needed the Cybersecurity Information Sharing Act. Then they needed a new name, and now they are getting administrative subpoena authority. But what’s fascinating in all of this is it was the companies telling the government about the hack,” the official said. “So where is DHS or where is the government today in terms of being in better shape to detect, mitigate and respond to this type of attack?”
This is why experts say any future cybersecurity programs, whether the move to zero trust or security operations-as-a-service (SOCaaS), will not be panaceas.
But as the former executives said, the goal is to lower the risk posture of agencies and make them more resilient.
“The question is after this is all over, are agencies going to be still talking about managing risk only from an agency perspective or will they talk about it from an enterprisewide government perspective?” said the second former official. “If we move to SOCaaS, it lets agencies more quickly manage risk from a governmentwide perspective and change the dynamic.”
The former federal executive said that’s where Congress should focus its attention and appropriations efforts and the Biden administration should focus its budget requests to put resources into a solution and not into blaming someone or some agency.
“With the OPM breach, OMB had the ability to shape agency’s actions by holding them accountable publicly and through the budget process. OMB could move funds in 2015 and plan for new investments in 2016,” the former executive said. “The question today is do we know where dollars need to go to accelerate change? I don’t think OMB or CISA have identified what capabilities would have helped protect agencies from the SolarWinds attack. There may not have been any. But at least with SOCaaS and more threat hunting teams, the identification, mitigation and remediation would be faster and less complex.”
The former executive said CISA and its Quality Services Management Office (QSMO) is best to address these and other challenges. Agencies, generally speaking, rely on CISA to provide many of these cyber capabilities already — which is another challenge that CIOs and CISOs faced over the last week that may have impacted their ability to react and adapt.
The first executive said the move to zero trust also would enable the hunting for attacks and the ability to remediate and maintain resiliency.
“In order for agencies to more effectively secure their environments, agencies need to harden their systems and data all the way to the center. They need to encrypt their data and continue to look at what continuous monitoring means going forward,” the former executive said. “What are the investments to get agencies there? Congress needs to understand that and can’t just decry the incidents and point fingers.”
The General Services Administration’s schedules program brings in more than $38 billion in revenue each year. It’s one of the most well-known acquisition programs in the country with a reach across more than 100 agencies, state and local governments and the private sector companies. If a company wants to play in the federal market, usually their first step is to get on the schedule.
This is why recent actions by some GSA contracting officers trying to drive down prices, particularly for services, that some say to an unreasonable level is causing so much concern and eliciting words like “bullying” and “holding hostage” from those vendors facing this pressure that has re-emerged over the last four to six months.
Multiple vendors as well as consultants, lawyers and a major GSA-focused trade association representing hundreds of schedule holders say the pendulum has swung too far in how the Federal Acquisition Service is requiring vendors to renegotiate prices, with some being reduced by as much as 40%.
“We are getting our next five years on the schedule and [were] just finishing our 10 year[s] in total. In our entire time on the schedule, we’ve never gotten an economic price adjustment so we have not increased our rates since 2009 or 2010. GSA deemed our rates fair and reasonable at the time,” said one vendor executive, who requested anonymity for fear of reprisal. “When we recently went to modify our schedule contract, the GSA contracting officer said our prices were no longer fair and reasonable and asked us to reduce five of our rates. That just shocked us. We have multiple blanket purchase agreements and other contracts against these rates so for us to back track was unthinkable.”
The vendor said after a lot of back-and-forth, they eliminated one labor category and were forced to reduce the rates of two others.
The vendor’s experience is turning out not to be an aberration. Consultants and lawyers say they know more than just a few companies, mostly in the services market as well as in the IT sector, who say GSA contracting officers have been put them in the unenviable position of reducing their rates or losing their schedule contracts.
Jennifer Aubel, a principal consultant at Aronson, said she has three clients who did more than $115 million in total revenue through the schedule contracts last year and were forced to drop their rates in order to add new capabilities or renew their schedule contracts.
“GSA sent one a notice that said their current pricing is not fair and reasonable and they are expected to lower the rates of about 60% of their labor categories, including some that would decrease by as much as 33%,” Aubel said in an interview. “This is not normally how it goes during an option period, especially to say current pricing is not fair and reasonable, which GSA approved.”
Aubel said GSA asked another client to drop 80% of their rates — by as much as 40%.
“It’s really frustrating. The prices awarded were all of sudden no longer reasonable. GSA is not sharing data so there is no way to tell if it’s a legitimate comparison,” she said. “What was striking about the negotiations was GSA was unwilling to negotiate. We provided comparisons with direct competitors and GSA said we were cherry picking and can’t use the data.”
Jonathon Aronie, a procurement attorney with Shepperd Mullin, was less forgiving than Aubel when describing the negotiations with GSA.
“I’ve seen multiple clients accept wholly unfair pricing demands just because GSA is holding their schedule hostage as a big solicitation is coming down. GSA will say sorry we will not add these labor categories until you accept this pricing. This is not what you’d expect of a good partner,” Aronie said. “Most companies just succumb to the bullying. It scares them to push back. Contracting officers just threaten with no renewals, and the idea of fighting with an important customer doesn’t work with some people.”
Mark Lee, the assistant commissioner in the Office of Policy and Compliance in GSA’s Federal Acquisition Service, said in an email that contracting officers use a variety of analysis techniques to determine fair and reasonable pricing.
“FAS is committed to continuous improvement and has updated guidance to ensure thorough documentation of use of these techniques in the contract,” he wrote. “GSA continues to provide contracting officers with better tools to focus on obtaining best value for customer agencies and the taxpayer, and where improvements in our pricing practices have been needed, we have made them.”
He said contracting officers establish negotiation objectives and determinate fair and reasonable pricing based upon a variety of pricing analysis techniques including:
But Aubel, Aronie and others said the reason why contracting officers are playing such hardball on prices is directly tied to getting slapped on the wrist by the inspector general.
In December 2019, the IG found FAS’ pricing determination tools were not sufficient and resulted in flawed price determinations. Auditors said this led to invalid price analyses and price reasonableness determinations that failed to leverage the government’s buying power in negotiations.
In April, the IG released an annual review of pre-award audits of 130 new or renewed schedule contracts and again found problems with price reasonableness determinations.
The experts said these and other reports created an environment of fear, thus pushing the pendulum too far in the wrong direction.
“This is reaction to the IG. This is a result of when the IG runs the program and not agency management,” said one industry source, who requested anonymity.
Larry Allen, a GSA expert and the president of Allen Federal Business Partners, said this isn’t the first time he’s seen a push for lower prices, but because it’s seems to be an across-the-board effort, there is something more going on.
“The IG has a role to play, but its role isn’t to be co-program manager,” he said. “The IG gets to advise and consent, but they are not warranted contracting officers and they should leave the decision on what’s fair and reasonable to contracting officers. FAS leadership should be able to stand up to IG that contracting officers do get fair and reasonable pricing. It’s not like contracting officers are pulled out of checkout stand at Walmart or something. They go through extensive training.”
Two studies in 2018 found pricing on GSA Advantage was lower or equal to commercial pricing, thus creating more frustrations among industry.
Lee said while GSA does not comment on individual negotiations, senior leadership, acquisition managers, the acquisition workforce and the Office of Inspector General actively work together to ensure integrity and fairness in our acquisition process.
“GSA’s acquisition workforce and OIG contract auditors are well trained professionals and adhere to these standards,” he said. “This past year, GSA achieved an all-time high on vendor and customer satisfaction rates which reflects the outstanding work the GSA acquisition workforce does with customer agencies and industry partners to obtain best value for the taxpayer.”
A GSA spokesperson added in fiscal 2020, the customer loyalty survey and supplier relationship management survey reached all-time highs.
The FAS supplier satisfaction increased from 3.7 in 2019 to 3.8 in 2020 (on a 5-point scale). The 2020 FAS supplier satisfaction score is an all-time high for GSA, which it began tracking in 2013.
Lee also highlighted the extensive training contracting officers receive in order to negotiate with vendors.
“GSA has added a number of agency unique training requirements to ensure it maintains a well-qualified, well-equipped acquisition workforce,” he said. “To obtain a senior level warrant, GSA contracting officers must possess a 4-year degree, have 24 or more semester hours in business and complete 592 hours of training. To maintain the warrant, they must take a minimum of 80 hours of training every two years. Market research, price analysis and negotiations are key areas of that training.”
Shepherd Mullen’s Aronie and others say it’s true not every contracting officer is “bullying” or “holding schedules hostage,” but it’s happening enough to be a concern for more than a few companies.
Aronie and others say contracting officers also are telling them that FAS released updated guidance or pricing handbook that directs them to take a harder line on pricing.
Lee would neither confirm nor deny the existence of a new or updated policy, just saying in an email that “GSA continues to provide contracting officers with better tools to focus on obtaining best value for customer agencies and the taxpayer, and where improvements in our pricing practices have been needed, we have made them.”
Whether or not there is a new policy or updated handbook, expert say the issue of pricing comes down to two things: FAS’ communications with its industry partners, and what are the outcomes FAS is trying to achieve through the schedules program.
Roger Waldron, the president of the Coalition for Government Procurement, said the return of the hardline price negotiations is disappointing.
“This is counter-productive. We are at a time where we need best and brightest capabilities to support agencies across the board and the drive to low price will drive commercial firms to provide the B, C or even D teams and not the A teams at a time when we are dealing with pandemic and return of near peer competition and to drive a brain drain in schedules program is a long term mistake,” Waldron said. “It’s short sighted and goes against ensuring the best mission capabilities to meet agency needs because it’s driving to lowest price. That will undermine mission capabilities and companies will be forced to provide less capabilities while they focus greater resources on what’s best value for them.”
Waldron pointed out that GSA, like most organizations, are paying more for people. He said over the last 20 years the average pay of a contracting officers increased to $108,000 per year from $54,000 a year.
“The cost of people and to maintain their capabilities doesn’t go down,” he said. “If you want great capabilities to support customer needs, you have to find right balance for best value and that is what they should be focusing on.”
Waldron said he would hope GSA brings in industry to discuss the challenges with pricing and the future of the schedules.
“If they want to be responsive to customer agency needs and be a bridge between the commercial market and the customer they need to understand how the commercial market works and seeking arbitrary price reductions is not understanding the value of people,” he said. “GSA put itself in a position to accelerate the market through schedules consolidation, eliminating stovepipes and making it more dynamic marketplace. But it remains inefficient and counter-productive if the barriers to entry are using this arcane approach and are based on the tyranny of low price, when we are really talking about best value. In some cases, it will be based on low price, but in the services arena, you have to be creating conditions where commercial firms are willing and interested in bringing their capabilities to the federal customer and part of that is reducing risk for all parties and focusing on value. Focusing on low price is not focusing on value.”